How to install and configure Logwatch

Logs are an invaluable source of information about problems that may arise in your server. Logwatch keeps an eye on your logs for you, flags items that may be of interest, and reports them via email.

Install Logwatch

Install logwatch using the following command:

sudo apt install logwatch

You will also need to manually create a temporary directory in order for it to work:

sudo mkdir /var/cache/logwatch

Configure logwatch

Logwatch’s default configuration is kept in /usr/share/logwatch/default.conf/logwatch.conf. However, configuration changes made directly to that file can be overwritten during updates, so instead the file should be copied into /etc and modified there:

sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/

With your favorite editor, open /etc/logwatch/conf/logwatch.conf. The uncommented lines indicate the default configuration values. First, lets customise some of the basics:

Output = mail
MailTo = [email protected]
MailFrom = [email protected]
Detail = Low
Service = All

This assumes you’ve already set up mail services on host1 that will allow mail to be delivered to your me@mydomain.org address. These emails will be addressed from logwatch@host1.mydomain.org.

The Detail level defines how much information is included in the reports. Possible values are: Low, Medium, and High.

Logwatch will then monitor logs for all services on the system, unless specified otherwise with the Service parameter. If there are undesired services included in the reports, they can be disabled by removing them with additional Service fields. E.g.:

Service = "-http"
Service = "-eximstats"

Next, run logwatch manually to verify your configuration changes are valid:

sudo logwatch --detail Low --range today

The report produced should look something like this:

################### Logwatch 7.4.3 (12/07/16) ####################
       Processing Initiated: Fri Apr 24 16:58:14 2020
       Date Range Processed: today
                             ( 2020-Apr-24 )
                             Period is day.
       Detail Level of Output: 0
       Type of Output/Format: stdout / text
       Logfiles for Host: `host1.mydomain.org`
##################################################################
 
--------------------- pam_unix Begin ------------------------
 
sudo:
   Sessions Opened:
      bryce -> root: 1 Time(s)
 
 
---------------------- pam_unix End -------------------------
 
 
--------------------- rsnapshot Begin ------------------------
 
ERRORS:
    /usr/bin/rsnapshot hourly: completed, but with some errors: 5 Time(s)
    /usr/bin/rsync returned 127 while processing root@host2:/etc/: 5 Time(s)
    /usr/bin/rsync returned 127 while processing root@host2:/home/: 5 Time(s)
    /usr/bin/rsync returned 127 while processing root@host2:/proc/uptime: 5 Time(s)
    /usr/bin/rsync returned 127 while processing root@host3:/etc/: 5 Time(s)
    /usr/bin/rsync returned 127 while processing root@host3:/home/: 5 Time(s)
    /usr/bin/rsync returned 127 while processing root@host3:/proc/uptime: 5 Time(s)
 
 
---------------------- rsnapshot End -------------------------
 
 
--------------------- SSHD Begin ------------------------
 
 
Users logging in through sshd:
   bryce:
      192.168.1.123 (`host4.mydomain.org`): 1 time
 
---------------------- SSHD End -------------------------
 
 
--------------------- Sudo (secure-log) Begin ------------------------
 
 
bryce => root
\-------------
/bin/bash                      -   1 Time(s).
 
---------------------- Sudo (secure-log) End -------------------------
 
 
--------------------- Disk Space Begin ------------------------
 
Filesystem      Size  Used Avail Use% Mounted on
/dev/sdc1       220G   19G  190G   9% /
/dev/loop1      157M  157M     0 100% /snap/gnome-3-28-1804/110
/dev/loop11     1.0M  1.0M     0 100% /snap/gnome-logs/81
/dev/md5        9.1T  7.3T  1.8T  81% /srv/Products
/dev/md6        9.1T  5.6T  3.5T  62% /srv/Archives
/dev/loop14     3.8M  3.8M     0 100% /snap/gnome-system-monitor/127
/dev/loop17      15M   15M     0 100% /snap/gnome-characters/399
/dev/loop18     161M  161M     0 100% /snap/gnome-3-28-1804/116
/dev/loop6       55M   55M     0 100% /snap/core18/1668
/dev/md1        1.8T  1.3T  548G  71% /srv/Staff
/dev/md0        3.6T  3.5T   84G  98% /srv/Backup
/dev/loop2      1.0M  1.0M     0 100% /snap/gnome-logs/93
/dev/loop5       15M   15M     0 100% /snap/gnome-characters/495
/dev/loop8      3.8M  3.8M     0 100% /snap/gnome-system-monitor/135
/dev/md7        3.6T  495G  3.0T  15% /srv/Customers
/dev/loop9       55M   55M     0 100% /snap/core18/1705
/dev/loop10      94M   94M     0 100% /snap/core/8935
/dev/loop0       55M   55M     0 100% /snap/gtk-common-themes/1502
/dev/loop4       63M   63M     0 100% /snap/gtk-common-themes/1506
/dev/loop3       94M   94M     0 100% /snap/core/9066

/srv/Backup (/dev/md0) => 98% Used. Warning. Disk Filling up.
 
---------------------- Disk Space End -------------------------
 
 
###################### Logwatch End #########################

Further reading